Moby Versions Save

25.0.3

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 25.0.3 milestone
• moby/moby, 25.0.3 milestone

Bug fixes and enhancements

• containerd image store: Fix a bug where docker image history would fail if a manifest wasn't found in the content store. moby/moby#47348

• Ensure that a generated MAC address is not restored when a container is restarted, but a configured MAC address is preserved. moby/moby#47304

  Note

  • Containers created with Docker Engine version 25.0.0 may have duplicate MAC addresses. They must be re-created.
  • Containers with user-defined MAC addresses created with Docker Engine versions 25.0.0 or 25.0.1 receive new MAC addresses when started using Docker Engine version 25.0.2. They must also be re-created.

• Fix docker save <image>@<digest> producing an OCI archive with index without manifests. moby/moby#47294
• Fix a bug preventing bridge networks from being created with an MTU higher than 1500 on RHEL and CentOS 7. moby/moby#47308, moby/moby#47311
• Fix a bug where containers are unable to communicate over an internal network. moby/moby#47303
• Fix a bug where the value of the ipv6 daemon option was ignored. moby/moby#47310
• Fix a bug where trying to install a pulling using a digest revision would cause a panic. moby/moby#47323
• Fix a potential race condition in the managed containerd supervisor. moby/moby#47313
• Fix an issue with the journald log driver preventing container logs from being followed correctly with systemd version 255. moby/moby47243
• seccomp: Update the builtin seccomp profile to include syscalls added in kernel v5.17 - v6.7 to align the profile with the profile used by containerd. moby/moby#47341
• Windows: Fix cache not being used when building images based on Windows versions older than the host's version. moby/moby#47307, moby/moby#47337

Packaging updates

• Removed support for Ubuntu Lunar (23.04). docker/ce-packaging#986

24.0.9

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 24.0.9 milestone
• moby/moby, 24.0.9 milestone

Security

This release contains security fixes for the following CVEs affecting Docker Engine and its components.

CVE	Component	Fix version	Severity
CVE-2024-21626	runc	1.1.12	High, CVSS 8.6
CVE-2024-24557	Docker Engine	24.0.9	Medium, CVSS 6.9

Important ⚠️

Note that this release of Docker Engine doesn't include fixes for the following known vulnerabilities in BuildKit:

• CVE-2024-23651
• CVE-2024-23652
• CVE-2024-23653
• CVE-2024-23650

To address these vulnerabilities, upgrade to Docker Engine v25.0.2.

For more information about the security issues addressed in this release, and the unaddressed vulnerabilities in BuildKit, refer to the blog post. For details about each vulnerability, see the relevant security advisory:

• CVE-2024-21626
• CVE-2024-24557

Packaging updates

• Upgrade runc to v1.1.12. moby/moby#47269
• Upgrade containerd to v1.7.13 (static binaries only). moby/moby#47280

25.0.2

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 25.0.2 milestone
• moby/moby, 25.0.2 milestone

Security

This release contains security fixes for the following CVEs affecting Docker Engine and its components.

CVE	Component	Fix version	Severity
CVE-2024-21626	runc	1.1.12	High, CVSS 8.6
CVE-2024-23651	BuildKit	1.12.5	High, CVSS 8.7
CVE-2024-23652	BuildKit	1.12.5	High, CVSS 8.7
CVE-2024-23653	BuildKit	1.12.5	High, CVSS 7.7
CVE-2024-23650	BuildKit	1.12.5	Medium, CVSS 5.5
CVE-2024-24557	Docker Engine	25.0.2	Medium, CVSS 6.9

The potential impacts of the above vulnerabilities include:

• Unauthorized access to the host filesystem
• Compromising the integrity of the build cache
• In the case of CVE-2024-21626, a scenario that could lead to full container escape

For more information about the security issues addressed in this release, refer to the blog post. For details about each vulnerability, see the relevant security advisory:

• CVE-2024-21626
• CVE-2024-23651
• CVE-2024-23652
• CVE-2024-23653
• CVE-2024-23650
• CVE-2024-24557

Packaging updates

• Upgrade containerd to v1.6.28.
• Upgrade containerd to v1.7.13 (static binaries only). moby/moby#47280
• Upgrade runc to v1.1.12. moby/moby#47269
• Upgrade Compose to v2.24.5. docker/docker-ce-packaging#985
• Upgrade BuildKit to v0.12.5. moby/moby#47273

23.0.9

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 23.0.9 milestone
• moby/moby, 23.0.9 milestone

24.0.8

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 24.0.8 milestone
• moby/moby, 24.0.8 milestone

Bug fixes and enhancements

• Live restore: Containers with auto remove (docker run --rm) are no longer forcibly removed on engine restart. moby/moby#46857

Packaging updates

• Upgrade Go to go1.20.13. moby/moby#47054, docker/cli#4826, docker/docker-ce-packaging#975
• Upgrade containerd (static binaries only) to v1.7.12 moby/moby#47096
• Upgrade runc to v1.1.11. moby/moby#47010

25.0.1

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 25.0.1 milestone
• moby/moby, 25.0.1 milestone

Bug fixes and enhancements

• API: Fix incorrect HTTP status code for containers with an invalid network configuration created before upgrading to Docker Engine v25.0. moby/moby#47159
• Ensure that a MAC address based on a container's IP address is re-generated when the container is stopped and restarted, in case the generated IP/MAC addresses have been reused. moby/moby#47171
• Fix host-gateway-ip not working during build when not set through configuration. moby/moby#47192
• Fix a bug that prevented a container from being renamed twice. moby/moby#47196
• Fix an issue causing containers to have their short ID added to their network alias when inspecting them. moby/moby#47182
• Fix an issue in detecting whether a remote build context is a Git repository. moby/moby#47136
• Fix an issue with layers order in OCI manifests. moby/moby#47150
• Fix volume mount error when passing an addr or ip mount option. moby/moby#47185
• Improve error message related to extended attributes that can't be set due to improperly namespaced attribute names. moby/moby#47178
• Swarm: Fixed start_interval not being passed to the container config. moby/moby#47163

Packaging updates

• Upgrade Compose to 2.24.2. docker/docker-ce-packaging#981

25.0.0

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 25.0.0 milestone
• moby/moby, 25.0.0 milestone
• Deprecated and removed features, see Deprecated Features.
• Changes to the Engine API, see API version history.

New

• Add OpenTelemetry tracing. moby/moby#45652, moby/moby#45579
• Add support for CDI devices under Linux. moby/moby#45134, docker/cli#4510, moby/moby#46004
• Add an additional interval to be used by healthchecks during the container start period. moby/moby#40894, docker/cli#4405, moby/moby#45965
• Add a --log-format flag to dockerd to control the logging format: text (default) or JSON. moby/moby#45737
• Add support for recursive read-only mounts. moby/moby#45278, moby/moby#46037
• Add support for filtering images based on timestamp with docker image ls --filter=until=<timestamp>. moby/moby#46577

Bug fixes and enhancements

• API: Fix error message for invalid policies at ValidateRestartPolicy. moby/moby#46352
• API: Update /info endpoint to use singleflight. moby/moby#45847
• Add an error message for when specifying a Dockerfile filename with -f, and also using stdin. docker/cli#4346
• Add support for mac-address and link-local-ip fields in --network long format. docker/cli#4419
• Add support for specifying multiple --network flags with docker container create and docker run. moby/moby#45906
• Automatically enable IPv6 on a network when an IPv6 subnet is specified. moby/moby#46455
• Add support for overlay networks over IPv6 transport. moby/moby#46790
• Configuration reloading is now more robust: if there's an error during the configuration reload process, no configuration changes are applied. moby/moby#43980
• Live restore: Containers with auto remove (docker run --rm) are no longer forcibly removed on engine restart. moby/moby#46857
• Live restore: containers that are live-restored will now be given another health-check start period when the daemon restarts. moby/moby#47051
• Container health status is flushed to disk less frequently, reducing wear on flash storage. moby/moby#47044
• Ensure network names are unique. moby/moby#46251
• Ensure that overlay2 layer metadata is correct. moby/moby#46471
• Fix Downloading progress message on image pull. moby/moby#46515
• Fix NetworkConnect and ContainerCreate with improved data validation, and return all validation errors at once. moby/moby#46183
• Fix com.docker.network.host_ipv4 option when IPv6 and ip6tables are enabled. moby/moby#46446
• Fix daemon's cleanupContainer if containerd is stopped. moby/moby#46213
• Fix returning incorrect HTTP status codes for libnetwork errors. moby/moby#46146
• Fix various issues with images/json API filters and image list. moby/moby#46034
• CIFS volumes now resolves FQDN correctly. moby/moby#46863
• Improve validation of the userland-proxy-path daemon configuration option. Validation now happens during daemon startup, instead of producing an error when starting a container with port-mapping. moby/moby#47000
• Set the MAC address of container's interface when network mode is a short network ID. moby/moby#46406
• Sort unconsumed build arguments before display in build output. moby/moby#45917
• The docker image save tarball output is now OCI compliant. moby/moby#44598
• The daemon no longer appends ACCEPT rules to the end of the INPUT iptables chain for encrypted overlay networks. Depending on firewall configuration, a rule may be needed to permit incoming encrypted overlay network traffic. moby/moby#45280
• Unpacking layers with extended attributes onto an incompatible filesystem will now fail instead of silently discarding extended attributes. moby/moby#45464
• Update daemon MTU option to BridgeConfig and display warning on Windows. moby/moby#45887
• Validate IPAM config when creating a network. Automatically fix networks created prior to this release where --ip-range is larger than --subnet. moby/moby#45759
• containerd image store: Add image events for push, pull, and save. moby/moby#46405
• containerd image store: Add support for pulling legacy schema1 images. moby/moby#46513
• containerd image store: Add support for pushing all tags. moby/moby#46485
• containerd image store: Add support for registry token. moby/moby#46475
• containerd image store: Add support for showing the number of containers that use an image. moby/moby#46511
• containerd image store: Fix a bug related to the ONBUILD, MAINTAINER, and HEALTHCHECK Dockerfile instructions. moby/moby#46313
• containerd image store: Fix Pulling from progress message. moby/moby#46494
• containerd image store: Add support for referencing images via the truncated ID with sha256: prefix. moby/moby#46435
• containerd image store: Fix docker images showing intermediate layers by default. moby/moby#46423
• containerd image store: Fix checking if the specified platform exists when getting an image. moby/moby#46495
• containerd image store: Fix errors when multiple ADD or COPY instructions were used with the classic builder. moby/moby#46383
• containerd image store: Fix stack overflow errors when importing an image. moby/moby#46418
• containerd image store: Improve docker pull progress output. moby/moby#46412
• containerd image store: Print the tag, digest, and size after pushing an image. moby/moby#46384
• containerd image store: Remove panic from UpdateConfig. moby/moby#46433
• containerd image store: Return an error when an image tag resembles a digest. moby/moby#46492
• containerd image store: docker image ls now shows the correct image creation time and date. moby/moby#46719
• containerd image store: Fix an issue handling user namespace settings. moby/moby#46375
• containerd image store: Add support for pulling all tags (docker pull -a). moby/moby#46618
• containerd image store: Use the domain name in the image reference as the default registry authentication domain. moby/moby#46779

Packaging updates

• Upgrade API to v1.44. moby/moby#45468
• Upgrade Compose to 2.24.1. docker/docker-ce-packaging#980
• Upgrade containerd to v1.7.12 (static binaries only). moby/moby#47070
• Upgrade Go runtime to 1.21.6. moby/moby#47053
• Upgrade runc to v1.1.11. moby/moby#47007
• Upgrade BuildKit to v0.12.4. moby/moby#46882
• Upgrade Buildx to v0.12.1. docker/docker-ce-packaging#979

Removed

• API: Remove VirtualSize field for the GET /images/json and GET /images/{id}/json endpoints. moby/moby#45469
• Remove deprecated devicemapper storage driver. moby/moby#43637
• Remove deprecated orchestrator options. docker/cli#4366
• Remove support for Debian Upstart init system. moby/moby#45548, moby/moby#45551
• Remove the --oom-score-adjust daemon option. moby/moby#45484
• Remove warning for deprecated ~/.dockercfg file. docker/cli#4281
• Remove logentries logging driver. moby/moby#46925

Deprecated

• Deprecate API versions older than 1.24. Deprecation notice
• Deprecate IsAutomated field and is-automated filter for docker search. Deprecation notice
• API: Deprecate Container and ContainerConfig properties for /images/{id}/json (docker image inspect). moby/moby#46939

25.0.0-rc.3

This is a pre-release of the upcoming 25.0.0 release.

Pre-releases are intended for testing new releases: only install in a test environment!

curl -fsSL https://get.docker.com -o get-docker.sh
sudo CHANNEL=test sh get-docker.sh

Known issues:

• There is no changelog yet; an overview of pull requests included in this release can be found on GitHub:
  • docker cli: all pull requests for 25.0.0 / all "changelog" pull requests for 25.0.0
  • docker engine: all pull requests for 25.0.0 / all "changelog" pull requests for 25.0.0
• dockerd now uses systemd's default LimitNOFILE which on older versions of systemd, such as used by CentOS 7 is very low and may limit the number of containers that can be run. Set LimitNOFILE=1048576 to get the previous behavior.
• There are no packages available yet for the s390x and ppc64le architectures
• There may be bugs! :warning:

Bugs and regressions can be reported in these issue trackers:

• Related to the CLI: https://github.com/docker/cli/issues
• Related to the Docker Engine https://github.com/moby/moby/issues

When reporting issues, include [25.0.0-rc] in the issue title

25.0.0-rc.2

This is a pre-release of the upcoming 25.0.0 release.

Pre-releases are intended for testing new releases: only install in a test environment!

curl -fsSL https://get.docker.com -o get-docker.sh
sudo CHANNEL=test sh get-docker.sh

Known issues:

• There is no changelog yet; an overview of pull requests included in this release can be found on GitHub:
  • docker cli: all pull requests for 25.0.0 / all "changelog" pull requests for 25.0.0
  • docker engine: all pull requests for 25.0.0 / all "changelog" pull requests for 25.0.0
• dockerd now uses systemd's default LimitNOFILE which on older versions of systemd, such as used by CentOS 7 is very low and may limit the number of containers that can be run. Set LimitNOFILE=1048576 to get the previous behavior.
• There are no packages available yet for the s390x and ppc64le architectures
• There may be bugs! :warning:

Bugs and regressions can be reported in these issue trackers:

• Related to the CLI: https://github.com/docker/cli/issues
• Related to the Docker Engine https://github.com/moby/moby/issues

When reporting issues, include [25.0.0-rc] in the issue title

25.0.0-rc.1

This is a pre-release of the upcoming 25.0.0 release.

Pre-releases are intended for testing new releases: only install in a test environment!

curl -fsSL https://get.docker.com -o get-docker.sh
sudo CHANNEL=test sh get-docker.sh

Known issues:

• There is no changelog yet; an overview of pull requests included in this release can be found on GitHub:
  • docker cli: all pull requests for 25.0.0 / all "changelog" pull requests for 25.0.0
  • docker engine: all pull requests for 25.0.0 / all "changelog" pull requests for 25.0.0
• dockerd now uses systemd's default LimitNOFILE which on older versions of systemd, such as used by CentOS 7 is very low and may limit the number of containers that can be run. Set LimitNOFILE=1048576 to get the previous behavior.
• There are no packages available yet for the s390x and ppc64le architectures
• There may be bugs! :warning:

Bugs and regressions can be reported in these issue trackers:

• Related to the CLI: https://github.com/docker/cli/issues
• Related to the Docker Engine https://github.com/moby/moby/issues

When reporting issues, include [25.0.0-rc] in the issue title